Weitere ähnliche Inhalte Ähnlich wie Comprehensive Security for the Enterprise II: Guarding the Perimeter and Controlling Access (20) Mehr von Cloudera, Inc. (20) Kürzlich hochgeladen (20) Comprehensive Security for the Enterprise II: Guarding the Perimeter and Controlling Access1. 1
Comprehensive Security for the Enterprise:
Guarding the Perimeter and Controlling Access
Sam Heywood, Director Product Management - Security, Cloudera
Joey Echeverria, Software Engineer, Cloudera
2. 2 ©2014 Cloudera, Inc. All rights reserved.
• Cloudera is the most secure Hadoop platform
• Gazzang acquisition
• Sign up for 7/22 webinar on encryption and key
management
• Cloudera Center for Security Excellence
Webinar I: Compliance-Ready Hadoop Recap
3. 3 ©2014 Cloudera, Inc. All rights reserved.
Cloudera’s Vision for Hadoop Security
Compliance-Ready
Comprehensive
Transparent
• Standards-based Authentication
• Centralized, Granular Authorization
• Native Data Protection
• End-to-End Data Audit and Lineage
• Meet compliance requirements
• HIPAA, PCI-DSS, FERPA, etc…
• Encryption and key management
• Security at the core
• Minimal performance impact
• Compatible with new components
• Insight with compliance
3
4. 4 ©2014 Cloudera, Inc. All rights reserved.
• CDH supports Kerberos authentication and over-the-wire encryption
• Cloudera Manager simplifies Kerberos configuration and enables direct AD
integration
• Sentry provides unified authorization across multiple access paths
• A single authorization policy will be enforced for Impala, Hive and Search
• Role based access at Server, Database, Table or View granularity
• Multi-tenant: Separate policies for each database / schema
• HDFS Extended ACL’s and HBase cell level access control
• Navigator encryption and key management deliver compliant data security
• Via Gazzang acquisition
• Navigator provides data management layer including audit, access control
reviews, data classification and discovery, and lineage
5.1 Cloudera Security Capabilities
5. 5 ©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Access
Defining what users
and applications can do
with data
Technical Concepts:
Permissions
Authorization
Visibility
Reporting on where
data came from and
how it’s being used
Technical Concepts:
Auditing
Lineage
6. 6 ©2014 Cloudera, Inc. All rights reserved.
Guard the Perimeter
Perimeter
Guarding access to the
cluster itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in
the cluster from
unauthorized
visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Access
Defining what
users and
applications can
do with data
Technical Concepts:
Permissions
Authorization
Visibility
Reporting on
where data came
from and how it’s
being used
Technical Concepts:
Auditing
Lineage
Kerberos | AD/LDAP
Preserve multiple entry points while providing strong
authentication that’s easy to manage
• Kerberos
• Industry Standard
• Integrated into Manager
• LDAP/AD
• Username/Password
• SAML
• Single Sign-On
7. 7 ©2014 Cloudera, Inc. All rights reserved.
Core
• Kerberos-based – use industry standard Kerberos
• Provably strong authentication between all Hadoop services, and to clients
or client proxies
• Cloudera Manager hides complexity
• Plug directly into AD for Kerberos
Edge
• Username/password – against LDAP/AD
• SAML for SSO
• Kerberos clients no longer required on most user end-points
Perimeter: Authentication in Hadoop
8. 8 ©2014 Cloudera, Inc. All rights reserved.
• Users don’t want Yet Another Credential
• Corp IT doesn’t want to provision and maintain thousands of service
principals and keytabs
• Solution: local KDC + one-way trust
• Run MIT Kerberos KDC in the cluster
• Put all service principals here
• Set up one-way trust of central corporate realm by local KDC
• Normal user credentials can be used to access Hadoop
• Recommended: Use Cloudera Manager
• To properly tune inter-related configuration knobs
• To manage principals/keytabs creation and distribution
• To preserve service monitoring with Kerberos security enabled
IT Integration: Kerberos
9. 9 ©2014 Cloudera, Inc. All rights reserved.
Because...
• Some companies don’t want to install and maintain MIT Kerberos
• They have one department responsible for managing identities – and they use AD
• They already have Active Directory running at scale
• Concerns about setting up 1-way trust between MIT KDC and AD
Proposed Solution:
• Use existing Active Directory (AD) to manage both service and user principles
• Already setup with HA and scale – can handle thousands of service principals
• No need for 1-way trust to MIT KDC
• Cloudera Manager to provide automation for a very tedious and error-prone process
• Required: AD account with ability to create non-admin principals for Hadoop
Alternative AD Integration Solution
10. 10 ©2014 Cloudera, Inc. All rights reserved.
Control Access
Perimeter
Guarding access
to the cluster
itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in
the cluster from
unauthorized
visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Kerberos | AD/LDAP
Access
Defining what users
and applications can do
with data
Technical Concepts:
Permissions
Authorization
Sentry | Rhino
Visibility
Reporting on
where data came
from and how it’s
being used
Technical Concepts:
Auditing
Lineage
Cloudera Navigator
Data
Protecting data in
the cluster from
unauthorized
visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Encrypt | Key Trustee
Sentry
• Apache project contributed by
Cloudera in 2013
• Unified authorization for Hive, Impala
and Search
Rhino
• Contributed by Intel in 2013
• Blueprint for enterprise-grade
security, including authorization
11. 11 ©2014 Cloudera, Inc. All rights reserved.
Two Sub-Optimal Choices for SQL on Hadoop
Security Challenges Prior to Sentry
• Insecure Advisory Authorization
• Users can grant themselves permissions
• Intended to prevent accidental deletion of data
Problem: Doesn’t guard against malicious users
• HDFS Impersonation
• Data is protected at the file level by HDFS permissions
Problem: File-level not granular enough
Problem: Not role-based
12. 12
Apache Sentry + Project Rhino
©2014 Cloudera, Inc. All rights reserved.
Open Source Sentry - Unified Authorization Mechanism
Compliance-Ready Meet regulatory requirements
with one system (PII, HIPAA, etc)
Access Control Store sensitive data in Hadoop
with fine-grained controls
Unified Fine-grained authorization and
RBAC with one system
Multi-Tenancy Extend Hadoop to more users
with central administration group
Developed in collaboration with Intel
and Community through Project Rhino
BATCH
PROCESSING
WORKLOAD MANAGEMENT
STORAGE
FILESYSTEM ONLINE NOSQL
ANALYTIC
SQL
SEARCH
ENGINE
IMPALA SOLRHIVE
13. 13
Key Capabilities of Sentry
13
One Policy Enforced on Multiple Access Paths
Unified authorization across Impala, Hive and Search
Fine-Grained Authorization
Specify security for SERVERS, DATABASES, TABLES & VIEWS
Role-Based Authorization
SELECT privilege on views & tables
INSERT privilege on tables
TRANSFORM privilege on servers
ALL privilege on the server, databases, tables & views
ALL privilege is needed to create/modify schema
Multitenant Administration
Separate policies for each database/schema
Can be maintained by separate admins
14. 14 ©2014 Cloudera, Inc. All rights reserved.
Financial Services Organization
• Identify patterns in financially-sensitive, PCI-
compliant data
• Before: Hadoop usage supported broad
audience but restricted to non-sensitive
workloads due to lack of data access controls
• Now: Data access controls allow for sensitive
workloads on restricted data sets inside general
use cluster
Financial data for fraud and purchasing behavior analysis
15. 15 ©2014 Cloudera, Inc. All rights reserved.
Health Care Organization
• Eliminate multi-step process required to
combine data sets for periodic reporting
• Before: Combining data in Hadoop problematic
as departments effectively given access to all
columns in all data sets
• Now: All data stored in Hadoop and report
production greatly simplified while maintaining
appropriate role based field level access
restrictions
Streamline reporting and administration tasks
16. 16 ©2014 Cloudera, Inc. All rights reserved.
Key Benefits of Sentry
Store Sensitive Data in Hadoop
Extend Hadoop to More Users
Enable New Use Cases
Enable Multi-User Applications
Comply with Regulations
17. 17 Cloudera Confidential. ©2014 Cloudera, Inc. All Rights Reserved.
• Sentry continues to unify authorization permissions management across
Hadoop ecosystem
• Extension to additional components: Spark, MapReduce, Pig, Sqoop, Hive
Metastore, etc
• File and column level access in HDFS
• Additional granularity
• Including document-level permissions for Search
• Streamlined Configuration Management
• Delegated GRANT and REVOKE through SQL interfaces
• Flat-file configuration no longer required (permissions stored in database)
• Permissions GUI
Sentry - Roadmap
17
18. 18 ©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Access
Defining what users
and applications can do
with data
Technical Concepts:
Permissions
Authorization
Visibility
Reporting on where
data came from and
how it’s being used
Technical Concepts:
Auditing
Lineage
Coming Soon Coming Soon
Register for July
22 Webinar
Register for Aug
7 Webinar
19. 19
Batch
Processing
Analytic
MPP SQL
Search
Engine
Machine
Learning
Stream
Processing
End-to-End, Zero-Downtime System Administration
Workload & Resource Management
3rd Party
Apps
Distributed Filesystem Online NoSQL Database
Access Control
Authorization
Perimeter
Authentication
Data Protection
Encryption,
Key Management
Data Lifecycle
BDR, Snapshots
Data Visibility
Audit, Lineage
ANALYTIC &
PROCESSING
ENGINES
SYSTEMS
MANAGEMENT
UNIFIED DATA
STORAGE &
INTEGRATION
SECURITY &
GOVERNANCE
CLOUDERA ENTERPRISE Comprehensive, Transparent, Compliance-Ready Security
©2014 Cloudera, Inc. All rights reserved.
20. 20
✔ Meet compliance requirements
✔ Innovate without compromise
✔ Comprehensive security for all data
©2014 Cloudera, Inc. All rights reserved.